On 02/24/2011 11:59 AM, Chris Bennett wrote: > I am going to point out another factor in my reasoning: > Basically, there is no reason to assume that my self-signed certificate is > any less secure than paying someone who is in a browsers root certificates. > > As a contractor in construction, one article I wrote for my potential > customers is how to decide if you should do the work yourself `or hire > someone else to do it. > > In this case, if I hire someone as a CA, I have just spent money. That comes > straight out of my wages. I have to now earn this money back or not eat, pay > rent, etc. > If I self-sign, I now get to keep that money. In fact, I may now be able to > spend additional time improving security on my websites and my programming. I > could potentially end up improving users security by NOT having to earn back > spent money.
http://www.startssl.com/ Why pay if you can have one for free trusted by every major browser? Sure, the "class 2" ones are pay-for, but the free one works as well as a self-signed one (except for the "CA sells out like paypal" idea, which I admit is possible, though, in the US, the government can just push any CA to give them a valid cert anyway. > > It is not my fault if some users are stupid. I actually spent some time > making security details available to my users. If they care, they are now > educated, if not, what can you do? Nothing, educating is the only solution, if they don't care, it's their problem. > > Chris Bennett > -- Hugo Osvaldo Barrera
